Network Segmentation Practices

Dear IT Auditors, Network Segmentation Reviews A flat network is a hacker’s dream. Once inside, attackers can move freely from one system to another. That’s why network segmentation is a vital control. It limits access, isolates sensitive assets, and slows down potential attacks. For IT auditors, segmentation reviews are about proving that boundaries exist and actually work. 📌 Start with the Design Understand how the network is structured. Are systems grouped by function or sensitivity? Review diagrams that show zones such as user, server, and DMZ networks. A clear design enables auditors to trace traffic flow and identify areas for improvement. 📌 Check Access Rules Firewalls and VLANs define who can talk to whom. Review access control lists and firewall policies. Ensure that only necessary communication is permitted. Look for “any-to-any” rules. They often signal poor segmentation and excessive trust. 📌 Validate Segmentation Controls Don’t rely only on documentation. Test it. Run network scans or review logs to confirm that segmentation rules are enforced. Sensitive systems like databases or payment servers should never be directly reachable from user networks. 📌 Review Change Management Segmentation can weaken over time. Firewall changes, new servers, or system migrations can create gaps. Check if network changes go through proper approval and testing before implementation. 📌 Monitor for Violations Continuous monitoring is key. Review alerts or reports that flag policy violations, such as blocked traffic between restricted zones. Confirm that incidents are tracked and corrected. 📌 Cloud and Hybrid Considerations Many organizations use cloud networks alongside on-premises systems. Verify that segmentation extends to cloud environments. Virtual networks should follow the same least-privilege principle as physical ones. 📌 Evidence for the Audit File Key evidence includes network diagrams, firewall rulesets, test results, and change control records. These show that segmentation isn’t just on paper but actively managed and enforced. When network segmentation is strong, attacks are contained. When it’s weak, one breach can spread fast. Auditors help organizations build the digital walls that keep threats from moving unchecked. #NetworkSegmentation #CyberSecurityAudit #ITAudit #RiskManagement #FirewallReview #InternalAudit #CloudSecurity #GRC #InformationSecurity #Assurance #CyberVerge #CyberYard

Why Hardware Wins Against Software in the Real World of Microsegmentation An Interview with BYOS CEO Matias Katz Hardware micro segmentation is a security architecture that uses dedicated, often embedded, hardware enforcement points to create tightly controlled network segments. Unlike purely software-defined solutions, these enforcement points operate independently of the operating system or application stack, enabling segmentation even where software agents can’t be deployed—such as on outdated or proprietary platforms. By enforcing isolation at the hardware level, organizations can precisely control allowed communication flows between systems and block all others, aligning naturally with Zero Trust principles where every connection must be explicitly verified. This approach not only limits lateral movement within the network but also severely restricts access to protected elements, ensuring that no device or user has more access than absolutely necessary. When implemented on hardware hardened to FIPS 140-2 cryptographic standards, hardware microsegmentation provides strong, independently validated protection for both control-plane communications and data in transit. FIPS 140-2 certification ensures that cryptographic modules have undergone rigorous testing, making it much harder for attackers to exploit weaknesses or tamper with security controls. Because these protections are built into tamper-resistant hardware rather than dependent on potentially compromised software layers, they are far less susceptible to common attack methods like malware injection, OS-level exploits, or privilege escalation. This makes breaching segmentation boundaries significantly more difficult, even for well-resourced adversaries. From an attacker’s point of view, hardware microsegmentation is often nearly invisible. The enforcement points sit outside the view of endpoint processes, have no detectable software footprint, and can silently block or allow traffic based on Zero Trust access policies. This invisibility, combined with strict policy enforcement at the network hardware level, creates a hardened perimeter around protected systems. For vulnerable legacy assets—such as medical equipment, industrial control systems, or unsupported servers—this means they can be wrapped in an impenetrable security layer without altering or patching the systems themselves. The result is a stealthy, high-assurance containment strategy that severely limits unauthorized access while enabling secure operation of even the most sensitive and outdated infrastructure. #CyberSecurity #Microsegmentation #LegacySystems #ZeroTrust #NetworkSecurity #FIPS140-2 #IoT #OTSecurity #CriticalInfrastructure #CyberResilience  #SecurityArchitecture

This network design features a dual-infrastructure setup using two different firewall platforms, FortiGate and Palo Alto, to provide redundancy and segmentation. The design aims to ensure high availability and robust security for a network with critical assets, likely belonging to a mid to large-sized enterprise. The network is connected to two Internet Service Providers (ISPs) labeled ISP-A and ISP-B. The connections are managed through two switches (SW-15 and SW-16) on the FortiGate side, and two other switches (SW-19 and SW-110) on the Palo Alto side. These switches act as the primary and backup points of entry for the internet traffic, ensuring that if one ISP fails, the other can still provide connectivity. This setup provides resilience and fault tolerance. On the FortiGate side, two FortiGate firewalls are deployed in a high-availability (HA) configuration. This setup means that one firewall will take over if the other fails, providing uninterrupted security services. The firewalls are connected to layer 3 switches (L3-SW7 and L3-SW13) which manage internal routing and distribution of traffic. The layer 2 switches (L2-SW13) underneath connect to end devices or servers, shown as VPCs. This segmentation allows the internal network to be divided into different VLANs (VLAN 10, 21, 22, 23), each with its IP subnet, offering isolation and traffic management according to the organization’s requirements. Similarly, on the Palo Alto side, there are two firewalls, also configured in HA. They are connected to a layer 3 switch (L3-SW8) that performs a similar role in routing and distributing traffic. VLANs (30, 31, 32, 33) are used here as well, indicating that the network is segmented based on functions or departments. This helps in controlling and securing traffic flows, as well as in implementing policies such as access control lists (ACLs) or quality of service (QoS). The purpose of this design is twofold: to provide high availability and to ensure security and segmentation across the enterprise network. By using two different firewall platforms, the design can leverage the strengths of each while maintaining a diverse security posture, which is often recommended to avoid single points of failure or uniform vulnerabilities. The VLAN segmentation helps in managing and isolating traffic, ensuring that security policies can be applied more granularly. Additionally, the HA configurations on both the FortiGate and Palo Alto sides prevent downtime during hardware failures, contributing to the network's resilience. This setup offers a scalable, secure, and resilient architecture capable of supporting a range of enterprise applications and services while maintaining strict security controls and high availability.

Most networks are organized, not secured. If you are relying on VLANs for isolation, you don't have a security boundary—you have a filing system. VLANs are great for grouping devices and managing broadcast domains. Over the years, they became the default way we "segment" departments, device types, or operational environments. That design creates the appearance of isolation, but in practice, those boundaries are rarely strict. The "Cardboard Door" Problem Devices inside the same VLAN can typically communicate freely. Once traffic moves between VLANs, we rely on ACLs or firewall policies to control it. But as environments grow, the "rules of engagement" fall apart: - Exceptions are added to support new apps. - "Temporary" policies become permanent. - The rule set expands until it’s impossible to audit. On a network diagram, it looks like a fortress. In operation, it behaves like an open floor plan. Reachability is the Goal From an attacker’s perspective, a VLAN is not a wall—it’s a neighborhood. Once one device is compromised, discovery tools immediately reveal every other system in that segment. Lateral movement becomes possible without ever needing to "bypass" a security control, because the network architecture allows the connection by default. Moving Beyond the Zone VLAN-based designs struggle with Zero Trust because they assume trust is inherited by location. Zero Trust assumes the opposite: every single communication must be explicitly authorized. Trust should not exist simply because two systems share the same segment. Real isolation requires granular control over how devices communicate. Without it, segmentation is just an illusion. Do your segmentation policies truly limit device-to-device communication, or do they mainly organize the network? Nile #ZeroTrust #NetworkSecurity #IoT #ShadowIT #EnterpriseNetworking #CyberSecurity

By the time your SIEM alerts you to lateral movement, the damage may already be underway. Detection is critical - but it’s reactive. Segmentation is proactive. Flat networks make life easy for attackers. Over-permissive firewalls, open ports, or shared service accounts? These create lateral pathways. The fix isn’t more alerts. It’s stronger design: • Microsegment sensitive workloads using NSGs and Azure Firewall • Implement Just-In-Time (JIT) VM access • Use Azure Private Link to avoid exposing services to the public internet • Isolate tiers—web, app, and data—with purpose-built network security • Leverage Microsoft Entra Conditional Access and PIM to limit identity sprawl The more you segment, the less you rely on catching bad actors in motion. Design for containment, not just detection. #microsoftsecurity #networksecurity #azure #RyansRecaps

Azure networking mistakes I keep seeing, over and over. Hub-and-spoke topology that only exists on a Visio diagram. VNets peered without NSG rules governing traffic between them. Subnets with no service endpoints because someone thought the virtual network boundary was enough. Azure Firewall deployed but with rules so permissive it's basically a $2,000/month pass-through. The fundamental issue: people treat Azure networking like on-prem networking. They think in terms of physical boundaries when the actual boundary is identity and policy. A VM in a "secure" subnet is only as secure as the NSG rules, the identity accessing it, and the data plane protections you've configured. If your network architecture in Azure is "we put things in different resource groups," that's not segmentation. That's organization. Segmentation requires intent: what traffic should flow where, what should be denied by default, and how you monitor the boundaries. Most Azure environments I audit would fail a basic network security review. Not because the people involved are incompetent. Because Azure networking has a hundred knobs and nobody reads the documentation on what each one does. #datasecurity #datagovernance #Microsoft365

With BRICKSTORM malware leveraging lateral movement and data theft methods that generate minimal to no security telemetry, network segmentation matters more than ever.  ICYMI - Google Threat Intelligence Group (GTIG) has been tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States and focuses on appliances that traditional EDR tools can’t see. Notably targeting legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. These “unmanageable” systems are a perfect hiding place, often outside standard visibility, inventory, and access controls. This is where #microsegmentation changes the game, and Zero Networks is leading the charge. By isolating every workload and appliance (managed or not) Zero Networks: - Prevents lateral movement from compromised devices (like F5 or vCenter).  - Enforces least privileged communication between systems.  - Contains intrusions even when traditional tools can’t reach the asset. Microsegmentation ensures that even if an attacker lands on an unmonitored edge appliance, they can’t use it as a launchpad into the rest of your environment. #Cybersecurity #ThreatIntelligence #ZeroTrust #Microsegmentation

The Journey to Zero Trust - Microsegmentation Despite what vendors say, the path to Zero Trust isn't through a product, but a process. It's a methodology of how your organization applies cybersecurity principles, involving key pillars such as Identity, Devices, Networks, Apps, and Data. This latest Cybersecurity and Infrastructure Security Agency publication emphasizes the Network Pillar and focuses on Microsegmentation, specifically on Introduction and Planning. It covers the core concepts of Segmentation, including Policy-Controlled Access, Network Segmentation, Microsegmentation and Work-Based Options. How to approach segmentation from a phased approach, from identifying candidate resources to deploying updated segmentation policies. Key planning considerations include user and organizational support, segmentation resources, how to enable segmentation from a policy perspective, and moving towards centralizing control and visibility. It closes up with some examples of microsegmentation scenarios of different architectures. It is a great resource for cybersecurity and non-cyber leaders and practitioners looking to bolster their architecture and digital environments! #ciso #cyber #zerotrust